OneTrust_Square Banner_300x250_DD_ROS_01_19

Shortly after receiving the IAPP’s 2014 Leadership Award at this year’s Global Privacy Summit, Federal Trade Commissioner Julie Brill sat down with DLA Piper Partner Jim Halpert for an intimate discussion about the agency’s priorities moving forward. Among the most pressing challenges for Brill and the agency are the effects emerging technology is having on the Fair Information Practice Principles paradigm, ensuring that organizations apply robust data security measures and assuaging international concerns about the data collection practices of U.S. government and business.

Speaking in front of a packed room of privacy professionals, Brill applauded their efforts. “You are all on the front lines,” she said, “and we’re in the same endeavor.”

DLA Partner Jim Halpert interviewing FTC Commissioner Julie Brill

Her candid, one-hour discussion provides a window into the efforts and concerns of the FTC.

Data Brokers and Transparency

All through her Reclaim Your Name project, Brill has been candid about her concerns with the data broker industry and its lack of transparency for consumers. During her Global Privacy Summit conversation, she explained some of her reasoning. Data brokers, she said, often share deeply sensitive data and are often not consumer-facing, challenging the concepts of notice and choice. Consumers have no idea their data is being collected and shared among a complex network of businesses. “I think long notices are still important,” said Brill, “as with other things, but with data brokers, there’s not opportunity for that. The Internet of Things (IoT) has similar issues. Many devices will not have a consumer interface,” she said.

Brill said the oft-cited, male, “silver-bullet” solution is not a realistic path to take. Rather, “We need a Jungian female solution” that addresses challenges using multiple tools.

Sen. Jay Rockefeller’s (D-WV) staff report, the Government Accountability Office’s study and the work of a slew of investigative reporters all point to a network of data flows with consumer information that is often highly sensitive, she noted. Data brokers often know if a person is suffering from diseases like cancer or obesity or diabetes. Similarly, data brokers, in some cases, have been known to categorize consumers into “second city urban strugglers” or recent widows.

“Whatever these titles are,” she warned, “these are euphemisms for race and economic status, and that is deeply concerning.”

In addition to being tracked and categorized, consumers, for the most part, do not have a means to access and correct the data collected about them. For Brill, that’s where transparency should play a role. Consumers should have a right to interact with these organizations, particularly if decisions about eligibility are being made based on the data.

Industry has noted that consumer access to data broker profiles raises a host of security and authentication risks. Brill cited the work of Acxiom in providing consumers with a web portal, saying it was a “good first step,” but more should be done. And with security, Brill said she’s heartened to hear industry is concerned about security but noted the credit reporting industry has figured out how to provide consumers with access to highly sensitive credit reports.

“I don’t think it’s rocket science,” she said. “It’s a big issue, and it must be dealt with.”

De-identification and the Ethics of Privacy

A good law, Brill said, hinges on the trigger point of notification. Additionally, if federal legislation is enacted, it should give enforcement powers to state AGs.

Yet transparency, for Brill, is only part of a larger tapestry of solutions. The oft-cited, male, “silver-bullet” solution is not a realistic path to take, she said. Rather, “We need a Jungian female solution” that addresses challenges using multiple tools.

“We need to focus more on de-identification with respect to Big Data,” she said, and think about the best practices of de-identification. People like newly appointed FTC Technologist LaTanya Sweeney have an important role to play here, and Brill said she looks forward to working with Sweeney more thoroughly. “We don’t have her for long,” she said, “but we’ll milk it.”

Along with de-identification best practices, companies should think about the ethics of what they’re doing. Brill said she’s also a supporter of algorithmists—professionals who embed ethical standards within algorithms—and Prof. Ryan Calo’s proposed consumer subject review boards.

“We also need legislation,” she said, “Some baseline to level the playing field.” The Health Information Portability and Accountability Act, for example, is not covering all health data, just covered entities. What about data generated from mobile health apps or other wearable devices?

“We need to move away from silos because of the way information is now flowing,” she said.

And the business community is starting to change its tune. Microsoft’s Brad Smith, for example, has recently opined on the importance of privacy, while a McKinsey & Company blog post recently said privacy is the third rail and if the business community doesn’t get this right, it won’t move forward.

The Risk-Based Approach and Regulating Use

With a movement in the European Union toward a risk-based approach, there was a lot of talk at the Summit as to whether that will be enough.

“It’s very important,” said Brill, and “necessary but not sufficient. It can’t replace some of the other things we need to do to protect privacy. The bottom line is that a focus on privacy as risk is good; I want businesses to be thinking about that.” The more that’s done, she said, the more the issue will migrate to the C-suite.

Though Brill said she supports a risk-based framework, it cannot replace notice and choice. “We need to get advertisers and lawyers into the space,” she said. “The lawyers can’t be the only ones making decisions on how to communicate with consumers.”

Who decides what harm is? For Brill, it should be everyone—from the algorithmist and consumer data review board member to the CEO and privacy pro. “Congress, the public, we all need to be in the what-is-harm-discussion. I want us all to have a role in thinking about what is harmful to the uses we’re seeing.”

This is all “part of the tapestry we need to be reweaving in this country,” Brill said.

Data Security and Breach Notification

The recent Wyndham case has brought up questions on the role the FTC should play in regulating business data security practices. Additionally, all but four U.S. states have a data breach notification law on the books, making what some call a patchwork quilt and corresponding encumbrance to businesses.

Brill said the FTC will “keep chugging away” at data security issues.

“I want to make this clear: We don’t play the gotcha game. We don’t look for perfect security,” she said. “Stuff happens, and we recognize there’s a nuclear arms race” in the cybersecurity world. She noted that, often, businesses with which they do have contact have good security. “And that’s what we’re looking for,” she said.

As more businesses move toward mobile and the IoT, security becomes an even greater challenge, meaning a greater challenge for privacy professionals as well.

Brill also said the agency has been unanimous in supporting breach notification legislation but warned that if the federal government were to preempt state laws and draft federal legislation, it must be robust enough to truly protect consumers. A good law, she said, hinges on the trigger point of notification. Additionally, if federal legislation is enacted, it should give enforcement powers to state AGs.

FTC Authority and Global Interoperability

Some have argued that the FTC should be granted greater enforcement authority to keep up with Big Data and IoT issues. Brill, however, said she thought Section 5 of the FTC Act has given the agency sufficient authority. Section 5, she said, was meant to be flexible as markets and technologies changed.

Criticisms in Europe about the Safe Harbor reached almost fever pitch in 2013 after the Snowden revelations, but earlier this year, the FTC brought cases against 12 companies for violating the agreement. Brill said she’s a strong believer in Safe Harbor.

One solution Brill had for Safe Harbor? Get rid of alternative dispute resolution fees.

“I don’t want to take away a tool that I have to enforce and protect citizens,” she said.

Part of the problem, she said, is that the agency, in the past, has not received many complaints against companies violating the Safe Harbor. She also said she’s asked European data protection authorities to tell the FTC when they find violations. She also noted that European DPAs should clearly link to the Safe Harbor page on their websites and help educate EU citizens on it so they know where to go if they have a concern or problem with a company.

Commissioners María Elena Pérez-Jaén Zermeño, Mexico; Christopher Graham, UK; Jacob Kohnstamm, the Netherlands; Julie Brill, U.S., and Isabelle Falque-Pierrotin, France.

Brill said she backs improvements to the Safe Harbor but not a full renegotiation. She hinted that there are some “low-hanging fruit” to help ease European concerns. One solution Brill had for Safe Harbor? Get rid of alternative dispute resolution fees.

On the world stage, the FTC is proactively working with fellow privacy regulators around the world.

“We are working to try to have a better mutual understanding of what enforcement is,” she said. “Part of that dialogue is showing how much we do at the FTC.”

She noted that she is currently on the Executive Committee representing the International Conference of Data Protection and Privacy Commissioners. She also speaks with her European counterparts regularly.

“We do enforcement work really well,” she said, adding, “It may not be the same system as in the EU, but we do a good job as well.”

Written By

Jedidiah Bracy, CIPP/E, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»